authencesn compatibility problemn between software crypto and talitos driver

authencesn compatibility problemn between software crypto and talitos driver

[Chaoxing Lin]

1. Can any one point me which RFC describe how exactly authencesn should work?

2. I test Ipsec with "esp=aes256-sha512-esn!" options and found compatibility issue between kernel software crypto and talitos driver.
Talitos <---->talitos				Good
Soft crypto<---->soft crypto			Good
Soft crypto<---->talitos			link established but no traffic can pass through.

3. Looking at source code of latest stable kernel 3.8.2, I found that these two implementations don't agree on what's to be hashed in ESN case.
Talitos driver is more intuitive in that  "assoc (SPI, SN-hi, SN-low) + IV + payload" are hashed.
Kernel software crypto is counter-intuitive in that "hsg(SPI, SN-low) + sg(IV + payload) + tsg(SN-hi" are hashed.
I copy codelet from kernel 3.8.2 in the end.

Please let me know whether I read the code right. And which way is the right way.

Thanks

Chaoxing
 
Code from latest stable kernel 3.8.2

path: root/drivers/crypto/talitos.c

969: /* hmac data */
970:	desc->ptr[1].len = cpu_to_be16(areq->assoclen + ivsize);
	if (edesc->assoc_nents) {
		int tbl_off = edesc->src_nents + edesc->dst_nents + 2;
		struct talitos_ptr *tbl_ptr = &edesc->link_tbl[tbl_off];

		to_talitos_ptr(&desc->ptr[1], edesc->dma_link_tbl + tbl_off *
			       sizeof(struct talitos_ptr));
		desc->ptr[1].j_extent = DESC_PTR_LNKTBL_JUMP;

		/* assoc_nents - 1 entries for assoc, 1 for IV */
		sg_count = sg_to_link_tbl(areq->assoc, edesc->assoc_nents - 1,
					  areq->assoclen, tbl_ptr);

		/* add IV to link table */
		tbl_ptr += sg_count - 1;
		tbl_ptr->j_extent = 0;
		tbl_ptr++;
		to_talitos_ptr(tbl_ptr, edesc->iv_dma);
		tbl_ptr->len = cpu_to_be16(ivsize);
		tbl_ptr->j_extent = DESC_PTR_LNKTBL_RETURN;

		dma_sync_single_for_device(dev, edesc->dma_link_tbl,
					   edesc->dma_len, DMA_BIDIRECTIONAL);
	} else {
		to_talitos_ptr(&desc->ptr[1], sg_dma_address(areq->assoc));
		desc->ptr[1].j_extent = 0;
996:	}



path: root/crypto/authencesn.c

372:	err = crypto_ahash_init(ahreq);
373:	if (err)
		return ERR_PTR(err);

	ahash_request_set_crypt(ahreq, areq_ctx->hsg, hash, areq_ctx->headlen);
	ahash_request_set_callback(ahreq, aead_request_flags(req) & flags,
				   areq_ctx->update_complete, req);

	err = crypto_ahash_update(ahreq);
	if (err)
		return ERR_PTR(err);

	ahash_request_set_crypt(ahreq, areq_ctx->sg, hash, areq_ctx->cryptlen);
	ahash_request_set_callback(ahreq, aead_request_flags(req) & flags,
				   areq_ctx->update_complete2, req);

	err = crypto_ahash_update(ahreq);
	if (err)
		return ERR_PTR(err);

	ahash_request_set_crypt(ahreq, areq_ctx->tsg, hash,
				areq_ctx->trailen);
	ahash_request_set_callback(ahreq, aead_request_flags(req) & flags,
				   areq_ctx->complete, req);

397:	err = crypto_ahash_finup(ahreq);

Re: authencesn compatibility problemn between software crypto and talitos driver

[Steffen Klassert]

Ccing Horia Geanta, he did the esn implementation for talitos.

On Fri, Mar 08, 2013 at 03:27:48PM +0000, Chaoxing Lin wrote:
> 1. Can any one point me which RFC describe how exactly authencesn should work?
> 

The ESN algorithm is described in RFC 4303 IP Encapsulating Security
Payload (ESP).

> 2. I test Ipsec with "esp=aes256-sha512-esn!" options and found compatibility issue between kernel software crypto and talitos driver.
> Talitos <---->talitos				Good
> Soft crypto<---->soft crypto			Good
> Soft crypto<---->talitos			link established but no traffic can pass through.
> 
> 3. Looking at source code of latest stable kernel 3.8.2, I found that these two implementations don't agree on what's to be hashed in ESN case.
> Talitos driver is more intuitive in that  "assoc (SPI, SN-hi, SN-low) + IV + payload" are hashed.

The ESN implementation of the talitos driver looks rather scary,
it just renames authenc to authencesn in talitos_probe(). The
algorithm pretends to be authencesn but still does authenc, of course.
authencesn has to be implemented, it is not sufficient to change
the name, really.

> Kernel software crypto is counter-intuitive in that "hsg(SPI, SN-low) + sg(IV + payload) + tsg(SN-hi" are hashed.

This might look counterintuitive, but that's what RFC 4303 describes
for ESN if separate encryption and integrity algorithms are used.

Re: authencesn compatibility problemn between software crypto and talitos driver

[Horia Geantă]

On 3/11/2013 9:15 AM, Steffen Klassert wrote:
> Ccing Horia Geanta, he did the esn implementation for talitos.
>
> On Fri, Mar 08, 2013 at 03:27:48PM +0000, Chaoxing Lin wrote:
>> 1. Can any one point me which RFC describe how exactly authencesn should work?
>>
>
> The ESN algorithm is described in RFC 4303 IP Encapsulating Security
> Payload (ESP).
>
>> 2. I test Ipsec with "esp=aes256-sha512-esn!" options and found compatibility issue between kernel software crypto and talitos driver.
>> Talitos <---->talitos				Good
>> Soft crypto<---->soft crypto			Good
>> Soft crypto<---->talitos			link established but no traffic can pass through.

That's what happens when interop testing is not performed...

>>
>> 3. Looking at source code of latest stable kernel 3.8.2, I found that these two implementations don't agree on what's to be hashed in ESN case.
>> Talitos driver is more intuitive in that  "assoc (SPI, SN-hi, SN-low) + IV + payload" are hashed.
>
> The ESN implementation of the talitos driver looks rather scary,
> it just renames authenc to authencesn in talitos_probe(). The
> algorithm pretends to be authencesn but still does authenc, of course.
> authencesn has to be implemented, it is not sufficient to change
> the name, really.

Seems that somehow I got confused, considering the "one/single-pass over 
data" description the same as "combined mode algorithm".

I will post a fix or revert the patch if HW does not allow the correct 
behaviour.

>
>> Kernel software crypto is counter-intuitive in that "hsg(SPI, SN-low) + sg(IV + payload) + tsg(SN-hi" are hashed.
>
> This might look counterintuitive, but that's what RFC 4303 describes
> for ESN if separate encryption and integrity algorithms are used.

Yes, appending the SN-hi after Payload (Next Header) is the correct way 
to handle separate encryption and integrity algos.

For combined ones (AES-CCM, AES-GCM, AES-GMAC etc.), behavior is defined 
separately in corresponding RFCs (4309, 4106, 4543). Usually SN-hi is 
positioned between SPI and SN-lo.

RE: authencesn compatibility problemn between software crypto and talitos driver

[Chaoxing Lin]

> Seems that somehow I got confused, considering the "one/single-pass over data" description the same as "combined mode algorithm".
> I will post a fix or revert the patch if HW does not allow the correct behaviour.

Horia,

Do you plan to fix talitos driver to make it ESN capable in the near future? Or just simply remove ESN option completely.

The freescale crypto engine is still capable of doing AES-CBC + HMAC-SHAxxx in one shot.
"DESC_HDR_TYPE_IPSEC_ESP" may not able to achieve authencesn.
But the hmac-snoop-aes should do the job well. 
2 descriptors are needed.
The first one is to do AES-CBC,
The second one snoop the output from the first crypto operation and then does HMAC-SHAxxx.
The two descriptors are chained and pushed to crypto engine at the same time. Callback is triggered only when both operations are done.
Since you are from freescale, I assume you know what I am talking about.

Re: authencesn compatibility problemn between software crypto and talitos driver

[Horia Geantă]

On 3/12/2013 10:57 PM, Chaoxing Lin wrote:
>
>> Seems that somehow I got confused, considering the "one/single-pass over data" description the same as "combined mode algorithm".
>> I will post a fix or revert the patch if HW does not allow the correct behaviour.
>
> Horia,
>
> Do you plan to fix talitos driver to make it ESN capable in the near future? Or just simply remove ESN option completely.

On-going discussion internally, since right now adding proper support 
for ESN doesn't seem to be trivial, so right now I don't have an answer.

>
> The freescale crypto engine is still capable of doing AES-CBC + HMAC-SHAxxx in one shot.
> "DESC_HDR_TYPE_IPSEC_ESP" may not able to achieve authencesn.

Correct. And that's why I think reverting "crypto: talitos - add IPsec 
ESN support" is the right thing to do.

> But the hmac-snoop-aes should do the job well.

You mean "hmac_snoop_no_afeu" (defined DESC_HDR_TYPE_HMAC_SNOOP_NO_AFEU 
but not implemented...) ? I doubt this is the straightforward choice.

> 2 descriptors are needed.

Agree.

> The first one is to do AES-CBC,
> The second one snoop the output from the first crypto operation and then does HMAC-SHAxxx.
> The two descriptors are chained and pushed to crypto engine at the same time. Callback is triggered only when both operations are done.

 From the looks of it, both descriptors need to be of type 
"DESC_HDR_TYPE_COMMON_NONSNOOP_NO_AFEU", first - ablkcipher - doing 
aes(cbc), second - ahash - performing hmac(sha).

> Since you are from freescale, I assume you know what I am talking about.

Try searching "AN3645 SEC 2/3x Descriptor Programmer’s Guide", the 
application note contains more details than the reference manual I 
assume you are using.

Re: authencesn compatibility problemn between software crypto and talitos driver

[Kim Phillips]

On Thu, 14 Mar 2013 12:21:20 +0200
Horia Geantă <horia.geanta@freescale.com> wrote:

> On 3/12/2013 10:57 PM, Chaoxing Lin wrote:
> > The freescale crypto engine is still capable of doing AES-CBC + HMAC-SHAxxx in one shot.
> > "DESC_HDR_TYPE_IPSEC_ESP" may not able to achieve authencesn.
> 
> Correct. And that's why I think reverting "crypto: talitos - add IPsec 
> ESN support" is the right thing to do.

This would need to happen for -stable anyway.

Kim